our enterprise security Empowering business

Transcription

1 our enterprise security Empowering business

2 Introduction Communication is changing the way we live and work. Ericsson plays a key role in this evolution, using innovation to empower people, business and society. This document is intended to provide the reader an overview of how Ericsson addresses the different aspects of our Enterprise Security, i.e. Personal Security, Asset Protection and Product Security. Any additional questions after reading this document on our Enterprise Security should be sent to Ericsson via Ericsson manufactures and supplies products on the basis of international standards such as 3GPP (wireless) and best architecture practices such as ITU-T recommendation X.805. Business operations including managed services are carried out in line with the ISO/IEC Information Security Management standard. Ericsson believes that security is crucial for maintaining and enhancing stakeholder confidence by: We are evolving from a mainly transactional relationship of managing security KPIs into truly becoming a part of the customer s business. Customers should rest assured that Ericsson treats their business as we do our own. This leads us to increased customer collaboration and greater complexity in our customer relationships. Today Ericsson has the telecom industry s most comprehensive managed services offering. Activities range across designing, building, operating and managing dayto-day operations of a customer s network. We manage networks that serve more than 750 million subscribers in more than 100 countries. Personal Security Doing all that can be done to ensure the wellbeing and safety of Ericsson s personnel and disaster response efforts Asset Protection Protecting the information and physical assets for which Ericsson are custodian (our own, our customers and partners ) Product Security Providing products which are resilient to serious threats presented by the evolving telecom landscape and assisting with security services to ensure our customers assets are well defended Ericsson s business is driven by speed and simplicity. Our growth and success lies in our ability to collaborate and build partnership, while knowing and acting on inherent security risks. Security should provide the right balance of risk taking versus risk mitigations. Due to the ongoing evolution of the worsening threat landscape, it is important to align security mechanisms through proper risk management processes, instead of relying on isolated security controls. Security risk management in daily operations is always under improvement and regular reviews take place to ensure the effectiveness of controls, including assessing any new threats and vulnerabilities. Ericsson is in a leadership position today, but we have to evolve to meet our customers expectations. Security should provide the right balance of risk taking versus risk mitigations. Respect, including respect for the privacy of individuals, is one of our core values to be complied with by all employees in their work for Ericsson. We are committed to protecting the privacy and confidentiality of personal information, including, but not limited to employees, contingent workforce, customers, and end-users. As the relationship with customers is becoming more complex we are proud of having a world-wide organization of security professionals supporting account managers in dealing with whatever security concerns our customers may have.

3 Personal Security We are committed to ensure a safe working environment and healthy workplaces around the world. We have a comprehensive organization and supporting tools to assist personnel in our business activities should an emergency occur. All personnel have access to a dedicated 24/7 emergency number and the latest travel advisories for all countries which we operate in. Personnel who are exposed to threats shall be given adequate personal protection. Following the 9/11 attack and the Thailand Tsunami 2004, the need to instantly know who is where became evident. On Group level we have access to travel details for most of the business travelers. We are proud to say that today we are able to reach almost all staff with immediate warning SMS or request travelers to confirm health status and location. We strongly believe that a crisis situation is best handled locally by the affected organization s CMTF. At Group level the Group Crisis Management Council (GCMC) is the supervisory body which monitors and supports CMTF actions. Many successful tasks have been carried out including evacuation of staff from places of unrest, rescue operations from earthquake-hit areas, etc. We are taking every opportunity to improve by reviewing lessons learned following all major crisis situations that have occurred. Disaster Response Efforts While we as individuals cannot do much about specific events, we can do something about the aftermath. When there is a human need to communicate Ericsson is there. However, even with the current high level of Ericsson knowledge relating to travelers whereabouts, we are constantly seeking to improve by increasing coverage, both in terms of the number of travelers and also geographical area. When an incident is perceived as crisis, Ericsson s crisis management organization takes action. Regions within Ericsson all have a Crisis Management Task Force (CMTF) to deal with severe incidents not managed by normal incident management procedures. Crisis Management We manage a crisis situation in accordance with applicable steering documents and actions are prioritized to remove or minimize threats to life and safety. Our priorities in a crisis are: 1. Removing threats to life or safety 2. Protecting the commercial interest of Ericsson 3. Protecting the brand 4. Ensuring that Ericsson is acting as a responsible corporate citizen The following diagram outlines our crisis management organization. The Ericsson Response program is based on Ericsson s previous involvement and experience in various disaster response efforts throughout the world and is run in collaboration with several United Nations organizations, the International Federation of the Red Cross and the Red Crescent (IFRC), Save the Children and other partners. Ericsson Response was founded in April 2000 at the request of company employees who wanted to use their experience and skills in disaster relief situations on a voluntary basis. Since then hundreds of Ericsson employees from all global regions have volunteered, been trained and deployed in various disaster relief operations. >> Group Crisis Management Council (GCMC) Manages crisis on Group level >> Crisis Management Task Force (CMTF) Manages crisis on Regional and Business Unit level >> Customer Units, Company/site crisis teams Manage crisis in the country or on the site

4 Asset protection We provide support for networks with over 2 billion subscribers and we manage networks serving more than 750 million subscribers. In addition, we handle many trade secrets in our daily operations. This responsibility, entrusted to us by our customers and partners, has led Ericsson to cultivate strong capabilities in the area of asset protection. Ericsson is convinced that meeting the challenging business demands to protect assets that we own, or have been entrusted with, involves the implementation of security frameworks which augment our day to day operations. These frameworks are supported by top level management and are clear on roles and responsibilities. Information Security, Physical Security and Business Continuity are all in scope for such frameworks, resulting in consistent, efficient and cost effective Enterprise Security. Information Security The Information Security Management (ISM) framework defines how we manage information security in alignment with the international information security management standard ISO/IEC However, when there is a clear business value and/or a customer request, Ericsson will proactively acquire ISO/IEC certification within defined and prioritized scope. Correct access to correct information at the right time is at the core of Ericsson s business. The human factor plays an important role in protecting information. All staff is regularly trained in basic security practices and Ericsson utilizes ongoing information campaigns to keep everyone informed and up to date. One important contributor to achieving an advanced level of information security is IT-security ensuring that IT systems perform as expected and have the sufficient capability to protect information. Security controls that we have implemented are based on industry best practices and general standards, such as CobiT (used for the SOX ITGC controls), ISO 27001, NIST , privacy laws, and other applicable regulations. Experience to date has proven their effectiveness, attested to by various activities including penetration testing and external audits. Purpose of this session >> Raise awareness on Information Leakage. >> Understand connection between risk of information leakage and your position. >> Become more risk conscious and know how to act. Two can keep a secret if one of them is dead Confucius 500BC Information security awareness training is an essential part of the ISM framework. All leadership teams, employees and external workforce are targeted for regular awareness activities. Physical Security The Physical Security Management framework defines how we manage physical security. As a global organization we have a long tradition of defining and implementing physical security controls to counter the wide and varied array of threats. Physical Security includes protection against unauthorized access, fire and other hazards. Now we are in a phase of aligning physical security management with information security management in order to satisfy requirements set out by ISO/IEC The physical security framework is executed locally to achieve cost effectiveness taking local threats and vulnerabilities into account. Business Continuity We feel that there is a high sense of urgency for Business Continuity Management (BCM) due to events such as pandemics, ash-clouds, severe storms and acts of violence. We have seen an increase in awareness and demands for BCM from customers and other stakeholders which we address by Ericsson s BCM framework. We are proud to announce that our external auditors, DNV, PWC and E&Y are supporting this BCM framework approach and that it has been deployed throughout the organization.

5 Product Security Product Security is the capability embedded in our products to support secure network operation by preventing damage from threats such as denial-of service attacks, theft or manipulation of network data. We manufacture and supply our products on the basis of international standards for the management of telecommunication products, such as 3GPP and best architecture practices such as ITU-T X.805 recommendation. Network operators and service providers must adapt to a continuously changing risk landscape and vendors must provide appropriate security in their products, solutions and services. We are actively adapting our products as networks evolve, based on best practices and our own experience of network operations. Thus best of breed products and operational experience are embedded into Ericsson s offerings. Product Security is the capability of the products to support secure network operation. The evolving networks and changing threat scenarios demand appropriate measures to be taken during the product development process. These measures enable us to ensure the required level of product security. Although the required level of product security shall always be determined in a business context we also have Generic Baseline Security Requirements Security Design Rules Security in Depth The Generic Baseline Security Requirements are based on existing best practices in the industry and what is normally expected as the inherent level of security in telecom products. to provide a basic security level that is in balance with the risks faced and our customers explicit and implicit expectations. Apart from security functionality implemented in the product itself, hardening and vulnerability analysis is part of the development process. In achieving the required level of product security, Ericsson is using well defined Generic Baseline Security Requirements and Security Design Rules that are regularly updated to match the changes in technology, regulations and business. The Security in Depth principle, which can be summed up by the term belt and braces, is fundamental for the Generic Baseline Security Requirements. It is considered a fundamental security principle for products supplied by Ericsson and is based on many complementary security mechanisms arranged to support each other. Telefonaktiebolaget LM Ericsson SE Stockholm, Sweden Telephone Fax Uen Telefonaktiebolaget LM Ericsson 2011

IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

Open Source Disaster Management Software Platform Why Should You Use Sahana Eden? Sahana Eden is an open source software platform which has been built specifically to help in Disaster Management. It is

Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from

Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

Business Continuity Is your Business Prepared for the worse? Major emergencies can develop suddenly without warning. Situations can threaten and disrupt your business and impact upon you and your staff.

COMPANY PROFILE REV 4.0 Company Background and Core Values Secor is a highly innovative company based in Lebanon and Dubai, focusing on the exploding market of the information security in the Middle East

Intel Business Continuity Practices As a global corporation with locations and suppliers all over the world, Intel requires every designated Intel organization to embed business continuity as a core business

Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first

Security Security Introduction Businesses today need to defend themselves against an evolving set of threats, from malicious software to other vulnerabilities introduced by newly converged voice and data

EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy

An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

TELUS Business Continuity Program past and future Presentation to EPICC 6 th Annual Seminar Victoria, BC September 17, 2010 John Yamniuk, MBCP Member of the TELUS team TELUS BCM Purpose To provide an overview

defense through discovery about krypton krypton is an advisory and consulting services firm, specialized in the domain of information technology (it) and it-related security krypton is a partnership amongst

Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data

Prepared by Rod Davis, ABCP, MCSA November, 2011 Disaster an event, which causes the loss of an essential service, or part of it, for a length of time which imperils mission achievement. (Andrew Hiles,

Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

TRUE. BLUE. DONE. Health, Safety and Environmental Management System (HSE MS) TM TRUE. BLUE. HEALTH. From the CEO For an integrated company like Valerus, success depends on consistent performance in every

Cisco SAFE: A Security Reference Architecture The Changing Network and Security Landscape The past several years have seen tremendous changes in the network, both in the kinds of devices being deployed

Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

Integrated Risk Management The Current Risk Landscape Organizations which depend upon information systems are challenged by serious threats that can exploit both known and unknown vulnerabilities in systems.

White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power

Globe Telecom, Inc. Preparations for the Big One Globe Telecom recognizes its role in the lives of its Customers and the Nation at Large Unfortunately, there are threats (that include earthquakes) that

THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?

White Paper Continuity of Business SAS Continuity of Business initiative reflects our commitment to our employees, to our customers, and to all of the stakeholders in our global business community to be

Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

Cyber Security solutions The scenario IT security has become a highly critical issue for all businesses as a result of the growing pervasiveness and diffusion of ICT technology. Risks can arise both inside

Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

Security at Work Our security philosophy A critical part of our mission to make the world more open and connected is providing a secure community for everyone who uses Facebook. Ensuring the security of

Governance 1 Purpose The purpose of this policy is to communicate Business Continuity Management (BCM) framework, responsibilities and guiding principles for Victoria to effectively prepare for and achieve

Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,

Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

Direct security testing Overview This standard covers the competencies concerning with directing security testing activities. It includes setting the strategy and policies for security testing, and being